Join 3,415 readers in helping fund MetaFilter (Hide)


Can viruses damage hardware?
July 12, 2009 9:19 PM   Subscribe

I recently met someone who told me he'd had to discard all the hard disks and memory chips from his computers due to their being infected by a virus. He'd had to discard graphics cards and even an expensive printer because its internal memory had become corrupted by the virus (rorschach, I think). I had never before heard of permanent damage to hardware from virus infection. Clue me in, please?
posted by carterk to Computers & Internet (46 answers total) 3 users marked this as a favorite
 
The only virus I know of that can cause someone to discard hardware is the dreaded Ignorance Plague, which Norton and McAfee still can't handle.
posted by Tomorrowful at 9:24 PM on July 12, 2009 [19 favorites]


This sounds like hogwash. RAM (the internal memory) will clear when it loses power. I have never heard of a printer being infected by a virus; that sounds highly suspect to me. A graphics card is a collection of more RAM and some specialized processors (amongst other components). None of these things would retain a virus after a complete power cycle.

The main two components that I would worry about being infected by a virus would be the motherboard's bios and the hard drive.
posted by kurmbox at 9:24 PM on July 12, 2009


It is not practical/possible (currently) for a single virus to permanently infect all of the subsystems on a machine you mention. Generally the only things you will ever have to replace (more likely reformat/reflash) are the disk drives and possible the cmos/bios.
posted by iamabot at 9:25 PM on July 12, 2009


To be more clear, what your friend has been told is a pile of BS, and whomever instructed him to discard his gear was fleecing him or someone not to be allowed near a keyboard.
posted by iamabot at 9:27 PM on July 12, 2009 [3 favorites]


None of these things would retain a virus after a complete power cycle.

Graphics cards actually have BIOS ROMs that ~can~ be reflashed. Not that I have heard of these being successfully compromised.
posted by @troy at 9:30 PM on July 12, 2009



Computers don't work that way.

Also, throwing out the drives due to a virus is also crazy It's like throwing out an etch a sketch because someone used it.
posted by Lord_Pall at 9:34 PM on July 12, 2009 [3 favorites]


Borrow money from this guy immediately.

(Which is to say, for the humorless out there, that he's obviously gullible and/or foolish, since what he describes is not just impossible, it's ridiculous.)
posted by rokusan at 9:50 PM on July 12, 2009


He had the ID10T virus, it appears. His computer also had a severe Layer 8 problem, which will almost certainly affect his new hardware as well.
posted by deadmessenger at 9:53 PM on July 12, 2009 [4 favorites]


He was BSing you.
posted by 517 at 10:04 PM on July 12, 2009


Actually it's entirely possible to infect or corrupt peripherals & other devices, even the CPU itself. There's been quite a bit of work done over the last few years to develop sniffers, rootkits & other nasty code that can live on just about anything that has an EEPROM. But I'm unaware of any malware in the wild that's exploiting these vulnerabilities, so in practice your friend's hardware is safe. Unless he works at an Intelligence agency or other sensitive government organization, that is.
posted by scalefree at 10:21 PM on July 12, 2009 [3 favorites]


Sorry I hit send too early, here's some links to support my claim.

Implementing & Detecting PCI-based Rootkits
SMM Rootkits
Hackers Find a New Place to Hide Rootkits
NIC-based rootkit
posted by scalefree at 10:32 PM on July 12, 2009 [3 favorites]


As others have noted it's possible to flash EPROMS (and useful, I've done it to give my iPod different firmware, to upgrade my router, etc.)

But itwoul be difficult (and not often useful) to write a virus that both runs on a desktop/laptop and that can flash itself to various ROMS. Theoretically possible, yes. Possible for an entity like the NSA or KGB? Sure. Something that a spammer building a botnet is going to do? Not this year, anyway.

Your friend is either paranoid or misinformed.
posted by orthogonality at 10:34 PM on July 12, 2009


It doesn't need to be code that can run on both the peripheral & the host OS (called a Multi-Architecture Binary), which although not impossible can be very difficult to write depending on the architectures involved. All you need is a worm/virus/application exploit that runs on the host's OS & has an installer routine that takes a payload of the rootkit & flashes it onto the vulnerable device. Once the rootkit's installed you'll need to reboot the system or at least unload & reload the drivers for it so the new code can start running. Botnets aren't doing it at present because it's not necessary to write something that complex, they're successful enough as it is. But it's well within their capabilities should it come to that.
posted by scalefree at 11:00 PM on July 12, 2009 [1 favorite]


Yes, there are BIOS viruses out there, they're exceedingly rare, but they exist. However they can be recovered from. Virtually all modern computers have a "Reset" setting on the BIOS that rewrites the BIOS with an original copy from a read-only source. This can be done even if the computer isn't booting properly. After this the BIOS can be password protected to prevent the virus from overwriting it and it will only exist on the hard drive where it can be cleaned using standard AV tools.

But memory? Graphics card? That's madness. Either you're being BS'd or someone has taken advantage of your friend.

Some printers might be vulnerable since some run a Linux variant that can be pretty easily modified. However, again, there are ways to revert them.

But it just doesn't make any sense unless they pissed off some high ranking black hat. There's no one virus that will do all of these things. The friend would have needed to be infected with a number of impossibly rare viruses delivered by someone who had administrator access to the computer and knowledge of all of the computer components. Occam's razor and all... Someone is full of it.

Many many years ago there were viruses that would do nasty things to your computer, like turn off all the fans which could cause hardware failure. However no one writes viruses like that any more because they like to keep the computers working. A dead computer is just a dead computer, but a working computer can spread the virus further and can be used as a node on a botnet and used for sending spam, etc.
posted by Ookseer at 11:11 PM on July 12, 2009


Can we not confuse the question with what is theoretically possible here?

Yes, it's possible in theory to have code that infects (some) graphics cards or (some) printers.*

Similarly, the CIA could in theory already have a swarm of nanobots living in your nose hairs transmitting your whereabouts to Langley.

But get fucking serious. No way. All you folks arguing how it's theoretically possible please also state the percent likelihood that this has happened as the poster described, and/or the amount of money you'd like to bet on it. Otherwise it's a huge digression and/or disservice.

* I'd like to see the theory on infecting RAM, but that's another story.
posted by rokusan at 11:27 PM on July 12, 2009 [2 favorites]


As a data point, the CIH virus, back in the late 90s, could corrupt your BIOS and brick your machine. But any memory, peripheral devices, etc. would remain unharmed.
posted by Herschel at 11:44 PM on July 12, 2009


What rokusan said. There's a lot of interesting theoretical stuff out there, but there is no way in hell that this really happened.
posted by equalpants at 12:00 AM on July 13, 2009


As far as I know there's no code in the wild infecting peripherals or rewriting EEPROMS or FPGAs, which is what the techniques I described would take. So the probability is vanishingly small that the OPP's friend actually got hit with something like that & even smaller that it would hit more than one device on a PC. Which I said in my first comment. But everybody saying it's impossible or requires the resources of an intelligence agency are also wrong. I don't know how long until it hits the Net or how virulent & widespread it'll ever be, but it's not just a myth of the early days of PCs because more & more people are writing code that does this. 5 years ago it was one guy, today it's at least 20 (and could be many more). Video cards, audio cards, TV cards, NICs, WiFi & Bluetooth cards, hard drives, CD & DVD drives, printers, scanners & CPUs all have chips that can be rewritten; about the only type of device that's immune is RAM. "Because it's impossible" is misinformation. It's very possible, it's just not common enough yet for people to worry about.
posted by scalefree at 12:04 AM on July 13, 2009


To be a little more specific: there are some really strong parallels between software infections in computer hosts and biological infections in living hosts. One of these is that monocultures promote the spread of disease; and the desktop operating system realm is effectively a monoculture. 90% of desktop computers run Windows, and most home computers run it with administrative credentials most of the time. The Windows desktop OS is low-hanging fruit for malware writers, and that's where virtually all in-the-wild infections are to be found.

The device realm is much less of a monoculture. There are a lot of different graphics cards, a lot of different BIOSes, a lot of different printers, and a lot of different models of hard drive. Writing software that can infect the firmware in these in order to achieve some nefarious end while leaving them essentially functional is at least an order of magnitude harder than doing the same thing to Windows - partly because there's so much less documentation available about their internals, but mostly because there's so much variation in those internals from model to model.

Basically, as a working black hat you get far better bang for your software development buck by targeting the Windows desktop OS than you do by targeting anything else, including assorted flashable firmware.
posted by flabdablet at 2:03 AM on July 13, 2009


This sounds like an effort by your friend to make a boring story (computer got infected) into an interesting fish tale (virus had teeth THIS BIG and SETS FIRE TO PRINTERS!!1!!). Could also be a new urban legend floating around which he has adopted and is now spreading in the first person.

As others have said, his claims are theoretically possible but practically impossible at the moment.
posted by benzenedream at 2:07 AM on July 13, 2009 [1 favorite]


Writing software that can infect the firmware in these in order to achieve some nefarious end while leaving them essentially functional is at least an order of magnitude harder than doing the same thing to Windows - partly because there's so much less documentation available about their internals, but mostly because there's so much variation in those internals from model to model.

That's an engineering problem, and one that has several lines of development for solutions. Hackers are good at finding ways to automate or commodify difficult, time-consuming procedures. All it takes is someone seeing a pattern in the variation or finding a way to extract that information from the device itself then creating a library of device codes & compiled binaries to match & we're off & running in a new war of escalating attacks & defenses.

Sorry for so much digression, hope I added something worthwhile to the answer along the way.
posted by scalefree at 2:36 AM on July 13, 2009


All it takes is someone seeing a pattern in the variation or finding a way to extract that information from the device itself then creating a library of device codes & compiled binaries to match

Yes, that's what it takes. My point is that creating such a library of device codes and compiled binaries is at least an order of magnitude more work than creating a Windows executable, and that the number of targets that such a library could run on is at least an order of magnitude smaller than the population of Windows desktop OS instances, and the rate at which device models turn over is so much greater than the rate at which Windows does that such a library would need a large amount of continuous work to keep it up to date - all of which makes it much less saleable, and much less likely to propagate successfully if released into the wild as a worm or virus.

I fully expect to keep seing occasional reports of proof-of-concept BIOS, hard disk firmware, graphics card firmware, printer firmware and CPU microcode infectors. I will be very, very surprised if I ever see one in the wild.
posted by flabdablet at 3:08 AM on July 13, 2009


I can see the advice your friend received being the result of asking an expert something like "My PC seems to have a virus - what can I do about it?"

Telling somebody that they would be best off replacing their entire PC to clear the problem is unlikely to be true from the point of view of the hardware being damaged. However the advice may still be in the best interest of your friend if fixing the problem will require several hours of time from somebody who knows what they are doing. If this time were invoiced it could easily exceed the cost of just buying new hardware. If the time is not invoiced then maybe the expert consulted does not want to provide it for free. If your friend replaces their PC then they will probably technically better than they had before - and they will get up and running less expensively and more rapidly than they would do otherwise.
posted by rongorongo at 3:27 AM on July 13, 2009


Here's twenty bucks that says that whoever told your friend that he had to throw away all that hardware because a virus had infected it also ‘kindly’ offered to ‘dispose of it’ for him.
posted by koeselitz at 4:54 AM on July 13, 2009


kurmbox writes "I have never heard of a printer being infected by a virus;"

There are printer viruses, most of them spread via PostScript and the most effective would attack printers with hard drives. However I haven't seen one in around a decade.
posted by Mitheral at 5:47 AM on July 13, 2009


Mitheral writes There are printer viruses, most of them spread via PostScript and the most effective would attack printers with hard drives. However I haven't seen one in around a decade.

Wow, that's neat, I hadn't heard of that before. I did some quick searching and found this and this (only tangentially related, though). Anyone have any old articles about these postscript viruses? I'd like to read about them.
posted by kurmbox at 6:33 AM on July 13, 2009 [1 favorite]


In my 15years of tech support, the only "virus" I've heard of that can fry hard-drives, memory, graphics cards and printers simultaneously......... is a lightning strike. (or some other power/electrical related abnormality).
posted by jmnugent at 6:51 AM on July 13, 2009


I am pretty sure that I read long ago, perhaps even before windows boxes had gui, that someone had written a virus that could cause a crt monitor to malfunction permanently. I can not remember what it did to cause the malfunction, but I would bet that modern crt monitors (is that an oxymoron yet?) would have protection circuits to shut them down prior to such damage. I think it was also possible to cause damage to some floppy drives. This is far different from infecting the devices with code though.
posted by caddis at 6:53 AM on July 13, 2009


Seriously, your friend is either being victimized by bad advice, or is badly misinterpreting computer problems, and needs some better assistance.
posted by theora55 at 7:17 AM on July 13, 2009


Unlikely. It's the person you recently met who needs to be clued-in, carterk.

I remember that viruses hiding in printer buffers was a common joke on the BBS's in my area in the early 90's. I seriously doubt that the Postscript Trojan was ever anything more than a concept.
posted by paulg at 7:49 AM on July 13, 2009


Sounds like someone was in need of cash and your friend had plenty. On the bright side, if you need hardware cheap and quick, you know where to go.
posted by tommasz at 8:02 AM on July 13, 2009


No. In theory it's possible, but just in theory.
posted by chairface at 9:45 AM on July 13, 2009


Also: have a look at this thread, specifically the discussion from this comment on down. Note carefully how even the most alarmist representative of the you-must-nuke-and-pave-it school of thought doesn't raise the possibility of a BIOS or other firmware infection - even given his extreme "rootkits are sneaky and nasty and undetectable" view, his advice is that rewriting the hard disk contents is enough to clean up an infected computer.

I'm with him on the sufficiency, if not the necessity.
posted by flabdablet at 7:03 PM on July 13, 2009


What do you know, this turned out to be a pretty interesting thread, thanks. The situation giving rise to my question is complex and i prefer not to elaborate on it. But again, I'm in awe of Askme as a way to get informed answers to questions. You make my life better.
posted by carterk at 8:27 PM on July 13, 2009


In my 10+ years in the industry, I've only seen one virus ever attack a BIOS chip. And this was in 1998, by a kid who bought the computer one day, and instantly started downloading "virus creation software" from god knows where. I forget the name, but it was a fairly rare one, that could only be gotten by the truly foolish. And indeed, it would wipe the eeprom.
posted by gjc at 6:50 AM on July 14, 2009


I note in passing that wiping a BIOS EPROM is a hell of a lot easier than designing malware that will (a) hide in some unused part of the BIOS, regardless of BIOS manufacturer or revision (b) do something nefarious to any OS booted via that BIOS (c) successfully hijack a BIOS reflash floppy so as to prevent itself being removed.
posted by flabdablet at 7:12 AM on July 14, 2009


BIOS EEPROM isn't the prime target. And although people are doing work on peripherals, as others have noted it's a hit-or-miss situation whether a target host even has that device. But every PC has a CPU. For several years now all x86 CPUs have had a special mode called System Management Mode, where the chip's functions can be altered. If you've had a Mac for a while you'll remember having to install some upgrades that required a special reboot where something was flashed to the hardware. Same thing. It's basically a spare piece of chip space that the manufacturer can use to fix bugs that weren't discovered before the thing shipped, so you don't have to buy a whole new chip. Problem is, whoever controls the PC can flash their own code into that space just as easily as you can.

As others have noted, the biggest problem with rootkitting graphics cards or NICs is diversity. Everybody has a different set of peripherals, so your hit rate will be too low to make it worthwhile. But what's the breakdown when it comes to CPUs? If your hit rate is 1 in 10 or 1 in 5 instead of 1 in 50 or 100 (all numbers POOMA), maybe it starts looking worth your while.
posted by scalefree at 11:06 AM on July 14, 2009


Doesn't System Management Mode involve loading stuff into on-CPU RAM, rather than on-CPU flash, and doesn't that mean that either the BIOS or an OS would have to re-infect the CPU every time it powered up in order for a SMM-based infection to persist?
posted by flabdablet at 12:52 AM on July 15, 2009


By the way, this suggests I have that right.
posted by flabdablet at 12:54 AM on July 15, 2009


Yeah that locks down one vulnerability, but as the authors of one recent SMM rootkit tutorial have said
It would be naive to assume that SMM is secure as long as BIOS firmware "locks down" SMM memory by setting D_LCK bit in SMRAMC register (original attack from [smm]). Other vulnerabilities already found in SMM protections as demonstrated in [xen_0wn].
Security is an ever-evolving field, with yesterday's impossible becoming today's "purely theoretical" becoming tomorrow's practical & commonplace.
posted by scalefree at 2:17 PM on July 15, 2009


I am pretty sure that I read long ago, perhaps even before windows boxes had gui, that someone had written a virus that could cause a crt monitor to malfunction permanently.

It was a Hercules graphics card, from the late 80s maybe. If you set both horizontal & vertical scan rate to 0 you could burn out a single pixel at a time. There never was a virus or any other malware that actually exploited it.

I think it was also possible to cause damage to some floppy drives.

5 1/4" drives had a barrier that stopped the heads from going past the edge of the disk, and if you directed the heads to bang up against it repeatedly you could whack the heads out of alignment. There probably was a demo program you could run that made this happen but it was never the payload of any covert malware.
posted by scalefree at 5:40 PM on July 15, 2009


It would be naive to assume that SMM is secure...

I'm not attempting to support any assumptions about the security or otherwise of SMM. All I'm saying is that the memory that SMM uses is volatile, which means that power cycling will always sufficient to wipe any exploits that are hiding in there.

There are assorted infection removal products available that boot into their own environments, completely independent of anything that may persist on the hard disk. The only way to even begin to hide from these would be to make your malware persist in non-volatile storage from which code executes before the boot block of the infection remover. In practice, that means that it would have to lurk inside the BIOS - either on the motherboard flash EPROM, or in the BIOS extension EPROMs on PCI cards - and it would have to do something clever with SMM early on so that the infection remover can't see it after booting, and it would have to subvert all the possible ways that an infection remover could access the storage hardware it's supposed to be cleaning. All of which is way less robust than subverting Windows, and therefore much less likely to be useful in practice as a mechanism to persist and spread malware.

Infection removal tools have a built-in edge in this particular arms race, because all they need to do is replace whatever is currently stored in e.g. BIOS or device EPROMs with a vanilla factory image of what's supposed to be there. They don't need to find an infection - they can just preemptively stomp them whether they exist or not.

You know the old conundrum about whether God can create a rock so heavy that not even God can lift it? It seems to me that any coder with enough skills to embed a SMM-based rootkit in a usefully wide range of BIOSes could also create a tool that would be guaranteed to remove any such infection, even if it had to be released on a plugin PCI card to gain control sufficiently early after a system reset.
posted by flabdablet at 10:18 PM on July 15, 2009


Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

Black Hat paper & presentation.

Welcome to tomorrow.
posted by scalefree at 2:05 PM on July 31, 2009


Whilst using ACPI as a means of persisting a rootkit in the system BIOS has numerous advantages for the rootkit writer over "traditional" means of persistence ... it is relatively easy to detect an ACPI rootkit by ... booting from read-only media that does not load an ACPI device driver and auditing the ACPI tables located in system memory (in essence, this is the same cross-view detection method that is typically used to locate a rootkit on disk).

The authors go on to talk about using a plugin PCI device as a superior (mainly because it gets control earlier in the boot sequence) method of persisting a rootkit.

So I'll say it again: It seems to me that any coder with enough skills to embed a SMM-based rootkit in a usefully wide range of BIOSes could also create a tool that would be guaranteed to remove any such infection, even if it had to be released on a plugin PCI card to gain control sufficiently early after a system reset.
posted by flabdablet at 6:51 PM on July 31, 2009


If your recovery strategy includes usage of a plugin PCI card, I'd say you should rethink your strategy. You may be technically correct but I can guarantee your hypothetical card will never see wide acceptance in the marketplace. And your strategy completely leaves many laptops out as they have no PCI slot available to plug in this card. There comes a point where the transaction cost of recovery becomes higher than replacement cost. As BIOS rootkits become more prevalent I suspect we'll find out exactly where that point is.
posted by scalefree at 4:21 PM on August 2, 2009


Symantec can make a business out of selling shit-grade "security" software for hundreds of dollars year after year after year. If a rootkit-proofing PCI/PCMCIA/whatever card costs about as little to make as a small memory stick (which it could easily do, since the only hardware it's going to need is a relatively small flash EPROM and a write-protect switch) then it could easily be bundled with existing anti-malware products and sold for a tidy profit.

Also, if this issue does turn out to be real, it's not going to take mobo and expansion card manufacturers long to start releasing products that require a physical write-enable jumper to be fitted before they can be re-flashed, and this is a guaranteed, absolute fix.

I'll happily bet you a dollar that malware persisting in places other than the main storage drive will never, in fact, affect more than 1% of personal computers in the field.
posted by flabdablet at 6:34 PM on August 2, 2009


« Older When is the right time to get ...   |  I started seeing this girl as ... Newer »
This thread is closed to new comments.